How to Monitor Network Traffic in Windows Using Netsh Command

This tutorial teaches you how to use the Windows Netsh command to monitor network traffic and export it to an external file for later use and analysis.
Captain Salem 2 min read
How to Monitor Network Traffic in Windows Using Netsh Command


Network Shell, commonly known as Netsh, is a command-line tool in Windows that allows administrators to configure and manage various networking components, such as network interfaces, IP addresses, DNS servers, and more. It is included in all modern versions of Windows and can be accessed through the Command Prompt or PowerShell.

Netsh is a command-line tool used to manage and troubleshoot network configurations on Windows. It can also monitor network traffic by capturing packets and displaying statistics.

How to Access the Network Shell

In Windows, we can access netsh using the Command Prompt or Windows PowerShell.

Open Command Prompt with administrative privileges. Click on the Start menu, type cmd, right-click on Command Prompt, and select "Run as administrator."

In the command prompt, you can open the network shell by running the command:


This should open the netsh prompt and allow you to configure networks:


Netsh Monitor Network Traffic

To start monitoring network traffic in the netsh utility, run the command below:

netsh> trace start capture=yes

Press Enter. This will start capturing network traffic.

Example command output:

Trace configuration:
Status:             Running
Trace File:         C:\Users\csalem\AppData\Local\Temp\NetTraces\NetTrace.etl
Append:             Off
Circular:           On
Max Size:           512 MB
Report:             Off

Wait for some time to capture enough traffic, and then  run the command:

netsh> trace stop

This will stop the capture.

Example output:

Merging traces ... done
Generating data collection ... done
The trace file and additional troubleshooting information have been compiled as "C:\Users\csalem\AppData\Local\Temp\NetTraces\".
File location = C:\Users\csalem\AppData\Local\Temp\NetTraces\NetTrace.etl
Tracing session was successfully stopped.

Convert ETL File to Wireshark Capture

In order to read and analyze the captured traffic, we need to convert the etl file to a .cap file as shown in the command below:

trace dump tracefile.etl -o capture.pcap

You can now open the capture.pcap file in Wireshark or other network analysis tool to view the network traffic.


In this tutorial, you learned how you can use the Windows netsh utility to capture network traffic and export it to an external file for later use.

We hope you enjoyed this tutorial. Feel free to comment below and let us know your thoughts.

More from GeekBits

Join us at GeekBits

Join our members and get a currated list of awesome articles each month.

Great! You’ve successfully signed up.

Welcome back! You've successfully signed in.

You've successfully subscribed to GeekBits.

Success! Check your email for magic link to sign-in.

Success! Your billing info has been updated.

Your billing was not updated.